Simple Windows rootkit that I have written, To explore a bit about the world of rootkits and Windows kernel in general. The Venom rootkit uses a few well-known methods that are commonly used by other famous rootkits. Some of the main features are listed in the "Features" section below.
The Venom rootkit is composed of 3 major components.
- The driver file (Venom) which we load on the target machine.
- The client dll (Venom Client) which is loaded by the driver via APC Injection.
- The C&C server to whom the client connects, thus allowing control over the rootkit instances.
The core of the rootkit is of course the driver, which contains all the logic, and the client exists just to control it. Venom works by first hooking the NSI driver that will later be used to hide a port of our choice. It then creates a Kernel APC that creates a User APC which in turn runs a shellcode that loads the Venom client dll into a process of our choice. You can read more about why I create a Kernel APC that creates a User APC here. Lastly, the Venom client connects back to the C&C server from which We can control the driver and utilize all of its features.
A little demo of the port hiding feature.
- Dynamic APC injection to load the UM dll.
- Process Hiding.
- Token elevation to "NT AUTHORITY\SYSTEM".
- Command execution.
- TCP port hiding by irp hooking nsiproxy driver.
- C&C server communication.
- Deleting the driver and dll from the disk after loading.
- Drop the dll in
C:\hooking.dll
- Drop the driver at a place of your choice
- Run the C&C with
python main.py
- Load the driver
sc create venom type= kernel binPath= {path_to_file} displayName= venom
sc start venom
There are many improvements to be made in each component, especially in the client and C&C that I just made for the POC. Currently, the client is very limited and static, so a lot to be made there. When looking at the rootkit itself in each capability there are better ways to achieve the goal. For example, replacing a token with the system process token is very easy to detect, a better way would be to just modify the relevant values in the token. Or when looking at the NSI hook, IRP hooking of the dispatch routine is also very easy to detect. So stay tuned for some future changes, and feel free to contribute your own!
I want to thank @omerk2511 for helping and guiding me.
This project is for educational purposes only, I am not responsible for any kind of abuse.